Standa Laznicka wrote: > Hello, > > Since we're trying to make FreeIPA work in FIPS we got to the point > where we need to do something with MD5 fingerprints in the cert plugin. > Eventually we came to a realization that it'd be best to get rid of them > as a whole. These are counted by the framework and are not stored > anywhere. Note that alongside with these fingerprints SHA1 fingerprints > are also counted and those are there to stay. > > The question for this ML is, then - is it OK to remove these or would > you rather have them replaced with SHA-256 alongside the SHA-1? MD5 is a > grandpa and I think it should go.
I based the values displayed on what certutil displayed at the time (7 years ago). I don't know that anyone uses these fingerprints. The OpenSSL equivalent doesn't include them by default. You may be able to deprecate fingerprints altogether. rob -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
